CVE-2024-23752
https://notcve.org/view.php?id=CVE-2024-23752
GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of this Python code. NOTE: the vendor previously attempted to restrict code execution in response to a separate issue, CVE-2023-39660. GenerateSDFPipeline en Synthetic_dataframe en PandasAI (también conocido como pandas-ai) hasta 1.5.17 permite a los atacantes activar la generación de código Python arbitrario que es ejecutado por SDFCodeExecutor. Un atacante puede crear un marco de datos que proporcione una especificación en inglés de este código Python. • https://github.com/gventuri/pandas-ai/issues/868 • CWE-862: Missing Authorization •
CVE-2023-39660
https://notcve.org/view.php?id=CVE-2023-39660
An issue in Gaberiele Venturi pandasai v.0.8.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the prompt function. • https://github.com/gventuri/pandas-ai/issues/399 https://github.com/gventuri/pandas-ai/pull/409 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-39661
https://notcve.org/view.php?id=CVE-2023-39661
An issue in pandas-ai v.0.9.1 and before allows a remote attacker to execute arbitrary code via the _is_jailbreak function. Un problema en pandas-ai v.0.9.1 y anteriores permite a un atacante remoto ejecutar código arbitrario a través de la función _is_jailbreak. • https://github.com/gventuri/pandas-ai/issues/410 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •